b'               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     Office of Environmental\n                     Information Should\n                     Strengthen Controls Over\n                     Mobile Devices\n                     Report No. 12-P-0427                    April 25, 2012\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                               Patrick Gilbride\n                                                   Erin Barnes-Weaver\n                                                   Alicia Mariscal\n                                                   Ashley Sellers-Hansen\n\n\n\n\nAbbreviations\n\nEDSD          Enterprise Desktop Solutions Division\nEPA           U.S. Environmental Protection Agency\nFY            Fiscal year\nMD            Mobile device\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nOTOP          Office of Technology Operations and Planning\nSOP           Standard operating procedure\nWCF           Working Capital Fund\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                12-P-0427\n                                                                                                           April 25, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\nWhy We Did This Review              Office of Environmental Information Should\nThe U.S. Environmental\n                                    Strengthen Controls Over Mobile Devices\nProtection Agency (EPA)\nOffice of Inspector General          What We Found\n(OIG) received a hotline\ncomplaint regarding misuse of       Although OEI is in the process of developing policies for domestic and\nmobile devices within the           international mobile device usage, OEI has no organization-wide standard\nOffice of Environmental             operating procedures that explain responsibilities for OEI employees and\nInformation (OEI). We               contractors regarding mobile devices. OEI currently does not have effective\nreviewed the effectiveness of       controls for the five areas of concern noted in the hotline complaint: issuance,\nOEI\xe2\x80\x99s internal controls for         disconnection, multiple devices, inappropriate use, and tracking and recovery.\nmobile devices issued to OEI\nemployees and contractors,          We found that supervisors approve employee/contractor requests for mobile\nfocusing on issuance,               devices without guidance on determining the need for a device, and there is no\ndisconnection, multiple             guidance on the frequency with which employees can upgrade a device after it\ndevices, inappropriate use, and     has been issued. OEI has also not established controls to determine when to\ntracking and recovery.              disconnect devices; over a 6-month period in 2011, 68 OEI employees had zero\n                                    usage of their mobile devices, incurring costs of about $29,360. Moreover, OEI\nBackground                          managers tend not to be concerned about employees having multiple devices, and\n                                    we found that eBusiness does not correctly reflect the number of devices issued\nOEI provides technology             to employees. Therefore, EPA may be paying for service on mobile devices that\nservices for EPA, including         are not used. In addition, we found that one OEI employee and one OEI\nproviding telecommunications        contractor made costly personal international phone calls. Finally, procedures and\nand other technologies to           controls for tracking and recovering mobile devices are missing or ineffective.\nsupport Agency activities.\nExecutive Order 13589, issued        What We Recommend\non November 9, 2011, requires\nagencies to assess device usage     We recommend that OEI implement standard operating procedures for each step\nand establish controls on           of the mobile device process to cover all aspects of issuance, disconnection,\nunused or underutilized             multiple devices, inappropriate use, and tracking and recovery. We also\nequipment or services, as well      recommend that OEI follow up with OEI employees and contractors to determine\nas limit the number of              business case justifications for users of multiple devices, and take appropriate\nemployee devices.                   action on unauthorized calls identified in the sample we reviewed. Lastly, we\n                                    recommend that OEI finalize Agency-wide draft domestic and international\nFor further information, contact    mobile device procedures and develop other Agency-wide procedures as\nour Office of Congressional and     necessary. OEI concurred with the majority of our recommendations and\nPublic Affairs at (202) 566-2391.   described planned actions to address our recommendations. Our\n                                    recommendations remain open pending OEI\xe2\x80\x99s corrective action plan with\nThe full report is at:\nwww.epa.gov/oig/reports/2012/       milestone dates, as well as additional specificity from OEI on monitoring\n20120425-12-P-0427.pdf              inappropriate device usage.\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n\n\n                                                                                 THE INSPECTOR GENERAL\n\n\n\n\n                                          April 25, 2012\n\nMEMORANDUM\n\nSUBJECT:\t Office of Environmental Information Should Strengthen Controls\n          Over Mobile Devices\n          Report No. 12-P-0427\n\n\nFROM:          Arthur A. Elkins, Jr. \n\n\nTO:            Malcolm D. Jackson\n\n               Assistant Administrator for Environmental Information and\n                 Chief Information Officer\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates. We will post your response on the OIG\xe2\x80\x99s public website,\nalong with our memorandum commenting on your response. Please provide your response as an\nAdobe PDF file that complies with the accessibility requirements of Section 508 of the\nRehabilitation Act of 1973, as amended. The final response should not contain data that you do\nnot want released to the public; if your response contains such data, you should identify the data\nfor redaction or removal. We have no objections to the further release of this report to the public.\nWe will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Melissa Heist at\n(202) 566-0899 or heist.melissa@epa.gov, or Patrick Gilbride at (303) 312-6969 or\ngilbride.patrick@epa.gov.\n\x0cOffice of Environmental Information Should                                                                                   12-P-0427\nStrengthen Controls Over Mobile Devices\n\n\n                                   Table of Contents \n\n\nChapters\n   1     Introduction ........................................................................................................      1\n\n\n                 Purpose .......................................................................................................    1     \n\n                 Background .................................................................................................       1     \n\n                 Noteworthy Achievements ...........................................................................                4\n\n                 Scope and Methodology ..............................................................................               5     \n\n\n   2     OEI Lacks Effective Internal Controls and Policies for Mobile Devices .......                                              7\n\n\n                 Internal Controls and Policies for Mobile Devices Are Not Effective ...........                                    7\n\n                 Conclusion...................................................................................................     12     \n\n                 Recommendations ......................................................................................            12 \n\n                 Agency Comments and OIG Evaluation ......................................................                         14 \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                         15 \n\n\n\n\nAppendices\n   A     Details on Scope and Methodology..................................................................                        17 \n\n\n   B     Office of Environmental Information\xe2\x80\x99s Response to Draft Report ................                                           18 \n\n\n   C     Distribution .........................................................................................................    23\n\n\x0c                                           Chapter 1\n\n                                            Introduction\nPurpose\n                 The U.S. Environmental Protection Agency (EPA) Office of Inspector General\n                 (OIG) received a hotline complaint on May 16, 2011, regarding misuse of mobile\n                 device (MD)1 services within the Office of Environmental Information (OEI). The\n                 complaint alleged five areas of concern: issuance, disconnection, employee usage\n                 of multiple MDs, fraudulent use, and tracking and recovery. Accordingly, our\n                 objective was to determine whether OEI has internal controls for OEI employee\n                 and contractor MDs, and whether they effectively control:\n\n                      \xef\x82\xb7   Issuance \n\n                      \xef\x82\xb7   Disconnection \n\n                      \xef\x82\xb7   Use of multiple devices\n\n                      \xef\x82\xb7   Inappropriate use \n\n                      \xef\x82\xb7   Processes for tracking and recovery \n\n\nBackground\n                 Internal Control Standards\n\n                 The U.S. Government Accountability Office Standards for Internal Control in the\n                 Federal Government defines \xe2\x80\x9cinternal control\xe2\x80\x9d as an integral component of an\n                 organization\xe2\x80\x99s management that provides reasonable assurance of effective and\n                 efficient operations and compliance with applicable laws and regulations. Office\n                 of Management and Budget Circular A-123 (revised 2004) states, among other\n                 matters, that agency managers should take timely and effective action to correct\n                 internal control deficiencies. As the Government Accountability Office\n                 recognized, an internal control comprises the plans, methods, and procedures used\n                 to meet missions, goals, and objectives and, in doing so, supports performance-\n                 based management. Internal control is not one event, but a series of actions and\n                 activities that occur throughout an entity\xe2\x80\x99s operations and on an ongoing basis.\n\n                 Office of Environmental Information\n\n                 Headed by the Chief Information Officer, OEI supports the Agency\xe2\x80\x99s mission to\n                 protect public health and the environment by providing environmental\n                 information that can be used to inform decisions, improve management, document\n\n\n1\n For the purposes of this report, we define MDs as cellular phones and pocket-sized computing devices, typically\nhaving a display screen with touch input or a miniature keyboard (e.g., BlackBerry).\n\n\n12-P-0427                                                                                                          1\n\x0c            performance, and measure success. OEI manages the life cycle of information to\n            support EPA\xe2\x80\x99s mission. According to its website, OEI:\n\n               \xef\x82\xb7\t Identifies and implements information technology and information \n\n                  management solutions\n\n               \xef\x82\xb7\t Ensures the quality of EPA\xe2\x80\x99s information and the efficiency and reliability\n                  of EPA\xe2\x80\x99s technology, data collection, exchange efforts, and access\n                  services\n               \xef\x82\xb7\t Provides technology services and manages EPA\xe2\x80\x99s information technology\n                  investments\n\n            OEI also works with many internal and external stakeholders and partners to\n            implement information-related policies and procedures. OEI had approximately\n            416 employees as of June 2011. In fiscal year (FY) 2011, OEI spent $465,871 on\n            MD services.\n\n            OEI\xe2\x80\x99s Office of Technology Operations and Planning (OTOP) supports the\n            Agency\xe2\x80\x99s information systems and products. OTOP\xe2\x80\x99s Enterprise Desktop\n            Solutions Division (EDSD) provides local area network, telecommunications, call\n            center, and desktop support, and manages MD service.\n\n            Working Capital Fund and eBusiness\n\n            OEI OTOP procures mobile telecommunication services through EPA\xe2\x80\x99s Working\n            Capital Fund (WCF). EPA\xe2\x80\x99s WCF operates like a commercial business, offering a\n            wide range of administrative services, including financial management,\n            information technology, telecommunications, rent and facilities, printing, and\n            transportation services. EPA\xe2\x80\x99s WCF provides services in four business lines, one\n            of which includes the Agency\xe2\x80\x99s computer and telecommunications services. All\n            EPA WCF business is conducted through eBusiness, a Web application in which\n            users establish the necessary accounts, shop for WCF products and services via an\n            online catalog, obtain products and services, and monitor usage. EPA\xe2\x80\x99s\n            application of the WCF and utilization of eBusiness promotes transparency by\n            making product, cost, and usage information available in a Web-based platform\n            accessible to EPA office account managers and supervisors.\n\n            Policies and Procedures for Mobile Devices\n\n                   Limited Personal Use of Government Office Equipment\n\n                   In 2004, EPA issued Order 2101.0, Limited Personal Use of Government\n                   Office Equipment, which applies to all employees. The policy states that\n                   employees may use government office equipment only for authorized\n                   purposes. The policy also authorizes limited personal use during non-work\n                   time if the personal use:\n\n\n\n\n12-P-0427                                                                                    2\n\x0c               \xef\x82\xb7   Involves minimal additional expense to the government\n               \xef\x82\xb7   Does not reduce productivity or interfere with official duties or the\n                   official duties of others\n               \xef\x82\xb7   Is by an employee already authorized to use the equipment for\n                   official government business\n               \xef\x82\xb7   Is legal and appropriate\n\n            The policy specifies that users should not expect privacy when engaged in\n            limited personal use of government office equipment, and that users\n            should not give the appearance that personal use is in an official capacity.\n            The policy also gives examples of inappropriate personal uses (e.g.,\n            making long-distance phone calls), and the consequences for misuse of\n            government office equipment. The policy explains that managers and\n            supervisors may further restrict personal use based on the needs of the\n            office or problems with unauthorized or inappropriate use.\n\n            Cellular Equipment/Services Acquisition and Use Manual\n\n            Issued in 2002, EPA\xe2\x80\x99s Cellular Equipment/Services Acquisition and Use\n            Manual establishes directives for the acquisition and use of cellular\n            equipment and services nationwide. The manual states:\n\n                   Cellular telephones and other cellular equipment are to be\n                   used only for the conduct of official Government business.\n                   Federal Information Resources Management Regulation\n                   (FIRMR) and Code of Federal Regulations, Titles 5 and 41,\n                   address disciplinary actions and collection efforts that can\n                   be taken against Federal employees who misuse\n                   Government property or services. This includes the\n                   unauthorized use of Government owned property, such as\n                   cellular devices, with the intent to later reimburse the\n                   Government.\n\n            The manual requires cellular instruments to be accounted for and managed\n            in accordance with appropriate EPA property accountability procedures.\n\n            Personal Property Management Policies\n\n            EPA\xe2\x80\x99s Personal Property Policy and Procedures Manual is the\n            authoritative reference for EPA\xe2\x80\x99s management of personal property. The\n            manual provides policy and procedural guidance on personal property\n            management issues for EPA employees and contractors. The manual\n            defines personal property as any property except real property (and defines\n            real property as land, together with the improvements, structures, and\n            fixtures located thereon). All EPA employees and contractors must adhere\n\n\n12-P-0427                                                                              3\n\x0c                   to the policy and procedures set forth in the manual when executing\n                   personal property management functions on behalf of EPA.\n\n                   Custodial Officer Online Training and Guide\n\n                   EPA\xe2\x80\x99s Custodial Officer Online Training explains a custodial officer\xe2\x80\x99s\n                   responsibilities for the three stages in the personal property life cycle\xe2\x80\x94\n                   acquisition, utilization, and disposition. The training describes a number of\n                   standard operating procedures (SOPs) (e.g., conducting annual and\n                   quarterly physical inventories and records management), some of which\n                   serve as internal controls. The Custodial Officers\xe2\x80\x99 Guide is an extension of\n                   the online training, with more detailed examples. This guide provides\n                   information on rules and regulations that form the basis for property\n                   management, discusses the property management program within EPA,\n                   and focuses on the specific roles and responsibilities of a custodial officer\n                   within the property management structure. As with the training, the guide\n                   offers examples of SOPs and internal controls (e.g., key forms and\n                   documents for different tasks, a physical inventory process map, and a\n                   custodial officer checklist).\n\nNoteworthy Achievements\n            EPA\xe2\x80\x99s Mobile Device Service Review and Optimization Analysis\n\n            In August 2010, EPA hired a contractor to execute a service review for the\n            Agency\xe2\x80\x99s MD service program, including benchmarking current MD service\n            plans and support contracts, documenting total cost of ownership, and\n            recommending service optimization opportunities. As part of this study, the\n            contractor reviewed usage data as a percentage of total available plan minutes to\n            identify devices that were not being used or were underused over a 6-month\n            period (January\xe2\x80\x93March 2010 and May\xe2\x80\x93July 2010). MD usage was categorized as\n            falling under 1, 10, 20, and 30 percent of the monthly plan available minute\n            allotment. Although the contractor found that, overall, the MD service program is\n            sound, the report identified areas where EPA should take immediate action to\n            further optimize the quality of the service and reduce costs associated with service\n            delivery.\n\n            Recent Procedural Document and SOP Drafts\n\n            In 2011, OEI drafted a number of procedural documents and SOPs pertaining to\n            MDs specifically or personal property in general. These include:\n\n               \xef\x82\xb7\xef\x80\xa0\t International Travel Procedure for Mobile Devices, which covers the\n                   process EPA employees and contractors must follow to comply with the\n                   provisions of the Agency\xe2\x80\x99s network security policy and safeguard EPA-\n                   issued MDs while on international travel\n\n\n12-P-0427                                                                                     4\n\x0c               \xef\x82\xb7\xef\x80\xa0\t Mobile Device and Wireless Network Procedures, which includes\n                   requirements for implementing and managing the domestic use of EPA-\n                   owned MDs, including only using MDs to perform official government\n                   duties\n               \xef\x82\xb7\xef\x80\xa0\t An Asset Management Plan for the proper management of all information\n                   technology assets, including SOPs to address acquisition, use, and\n                   physical security\n               \xef\x82\xb7\xef\x80\xa0\t \xef\x81\x8f\xef\x81\x85\xef\x81\x89\xef\x80\xa0Personal Property Management, which provides OEI employees with\n                   the SOPs to properly acquire, receive, inventory, maintain, and reutilize or\n                   dispose of personal property.\n\n            Though not in place during the time of our review, once finalized, these policies\n            and SOPs could help address the problems we describe in chapter 2.\n\n            Use of Pooled Voice Plans\n\n            To anticipate and mitigate overages by any one user, EPA uses a 200-minute\n            pooled plan with one vendor and a 300-minute pooled plan with another. The\n            pooled plans makes these minutes available to anyone on the account, which can\n            help the Agency avoid costs for overages. EPA has never exceeded the total\n            minute allowance of each pooled plan, and uses roughly 85 percent of the minutes\n            available in carrier pools each month.\n\nScope and Methodology\n            We conducted our field work from June 2011 to February 2012 in accordance\n            with generally accepted government auditing standards. Those standards require\n            that we plan and perform our review to obtain sufficient, appropriate evidence to\n            provide a reasonable basis for our findings and conclusions based on our\n            objective. We believe that the evidence obtained provides a reasonable basis for\n            our findings and conclusions based on our objective.\n\n            To address our objective, we reviewed policies and procedures (OEI-specific and\n            Agency-wide) for MDs as well as those related to the personal use of MDs,\n            including those described in the \xe2\x80\x9cBackground\xe2\x80\x9d section. We also reviewed\n            Executive Order 13589, Promoting Efficient Spending, issued on November 9,\n            2011, which asks each federal agency to take steps to limit the number of MDs\n            issued to employees.\n\n            We interviewed the OIG budget team (in charge of MD payments) to benchmark\n            and understand the process for managing MDs prior to discussions with OEI. We\n            then interviewed OEI headquarters staff responsible for developing and\n            overseeing policies and procedures, including:\n\n               \xef\x82\xb7   WCF MD services manager\n               \xef\x82\xb7   Associate director for business management\n\n\n12-P-0427                                                                                       5\n\x0c               \xef\x82\xb7   Acting branch chief, Call Center and Business Management Branch\n               \xef\x82\xb7   Account managers\n               \xef\x82\xb7   WCF coordinator\n               \xef\x82\xb7   Property/custodial officers\n\n            We also interviewed a regional technical services unit chief to get an \xe2\x80\x9coutside\n            OEI\xe2\x80\x9d perspective on some of the allegations raised in the hotline complaint,\n            specifically on multiple MDs and inappropriate use. We also corresponded with\n            the hotline complainant and reviewed materials the complainant provided.\n            Specific steps we took to address each of the five areas of concern in the hotline\n            complaint are presented in appendix A.\n\n            Limitations\n\n            We were unable to determine the total number of MDs issued to OEI contractors\n            through the WCF. OEI does not know whether its employees or contractors\n            received MDs through other OEI contracts outside of OEI\xe2\x80\x99s EDSD Service\n            Agreement in eBusiness. In addition, EDSD did not know of a way to obtain that\n            information. We were also unable to determine how much OEI spends on MD\n            accessories each year because OEI does not track the cost of MD accessories or\n            the accessories themselves.\n\n\n\n\n12-P-0427                                                                                        6\n\x0c                                  Chapter 2\n\n            OEI Lacks Effective Internal Controls and \n\n                  Policies for Mobile Devices \n\n             OEI supervisors issue MDs without guidance, and no clear requirements exist for\n             how long employees should keep MDs before upgrading devices. Also:\n\n                \xef\x82\xb7   A number of OEI employees do not use their MDs. \n\n                \xef\x82\xb7   OEI managers have little concern about employees having multiple MDs.\n\n                \xef\x82\xb7   One OEI employee and contractor used their EPA-issued MDs to make \n\n                    personal international calls.\n                \xef\x82\xb7   The Agency does not track MD accessory purchases\n                \xef\x82\xb7   eBusiness does not correctly reflect the number of MDs issued to\n                    employees.\n\n             A number of Agency-wide policies and procedures relate to the use of MDs, and\n             OEI is in the process of developing policies on domestic and international MD\n             usage. However, OEI does not currently have effective internal controls or SOPs for\n             OEI employees and contractors addressing MD issuance, disconnection, employees\n             with multiple MDs, inappropriate use of MDs, and MD tracking and recovery. As a\n             result, EPA may be wasting government resources by allowing some OEI employees\n             to have multiple MDs without sufficient justification, allowing employees to have\n             MDs without a sufficient business case, and incurring high charges from employees\n             and contractors who make personal international calls.\n\nInternal Controls and Policies for Mobile Devices Are Not Effective\n             Initial Mobile Device Issuance and Upgrades\n\n             Our findings indicate that a majority of OEI staff have an MD, but some may not\n             need the device to perform their official government duties. Further, employees\n             are upgrading their MDs more frequently than the industry standard. Executive\n             Order 13589, Promote Efficient Spending, asks each federal agency to take steps\n             to limit the number of MDs issued to employees. We found that OEI lacks SOPs\n             regarding MD issuance and upgrades for OEI employees and contractors. As a\n             result, EPA may be wasting resources by issuing MDs to employees who do not\n             need them and upgrading MDs earlier than necessary.\n\n             OEI does not have guidance for managers to help them determine whether a business\n             case exists for an employee to be issued an MD. OEI has issued 434 MDs\xe2\x80\x94306 to\n             OEI employees and 128 to OEI contractors. As of June 2011, OEI had approximately\n             416 employees, and was unable to provide information on the number of contractor\n             employees. When OEI employees need an MD, they place the request with their\n\n\n\n12-P-0427                                                                                      7\n\x0c                    immediate supervisor. Currently, neither OEI nor an OEI-contracted firm require that\n                    supervisors apply criteria or complete any form on the business case justification for\n                    MD requests, which results in OEI supervisors making MD approvals without\n                    guidance. In FY 2011, OEI spent $465,871 on MD service.\n\n                    OEI does not have a policy on how frequently OEI employees and contractors can\n                    upgrade their MDs. According to OEI, cell phone carriers require federal\n                    employees to wait a minimum of 1 year before they can request an upgraded\n                    device. We learned that, in some cases, OEI employees upgrade their devices\n                    before 1 year by canceling their current line and transferring their device to\n                    someone else in OEI. Two custodial officers thought that OEI staff should be\n                    required to keep a device for 1 year before requesting an upgrade. A regional\n                    technical services unit chief believes it is reasonable to get a new device every\n                    2 years.\n\n                    We also found that no policies or SOPs exist for custodial officers regarding the\n                    appropriateness of type and number of MD accessories. OEI bankcard holders or\n                    custodial officers purchase MD accessories through eBusiness and the WCF, or\n                    with a bankcard. MD accessories, including cases, headsets, and chargers, can be\n                    purchased with a bankcard because they are nonaccountable property, do not\n                    contain any EPA data, and do not need an EPA property decal. OEI does not track\n                    the cost of MD accessories or the accessories themselves. One account manager\n                    said that the accessories may not be utilized.\n\n                    OEI has drafted the Mobile Device and Wireless Network Procedures, which aims\n                    to require employees and contractors to submit requests to receive an MD, along\n                    with a business justification, to their manager for consideration. However, OEI\n                    has not finalized these procedures.\n\n                    Mobile Device Disconnection\n\n                    OEI does not direct custodial officers or account managers to regularly request\n                    and review utilization reports, which are available at any time, and OEI staff\n                    persons working with property are not always notified when an employee leaves\n                    EPA or transfers to a new EPA program office. Executive Order 13589,\n                    Promoting Efficient Spending, states that agencies should assess current device\n                    usage and establish controls to ensure that agencies do not pay for underutilized\n                    or unused equipment or services. However, no SOPs exist regarding\n                    disconnection for OEI employees and contractors, nor are there controls for\n                    supervisory review/renewal of the need for continued MD service. As a result,\n                    EPA may be paying for MD service on devices that are not being used.\n\n                    A November 2011 zero usage report2 found that 68 OEI employees had zero\n                    usage over a 6-month period in 2011. The cost for these 68 monthly MD service\n\n2\n    A zero usage report identifies employees who did not use their cell phones or BlackBerrys in any manner.\n\n\n12-P-0427                                                                                                      8\n\x0c                  bills for the 6-month period was approximately $29,360.3 OEI indicated that these\n                  zero usage users may need to retain active service on these accounts because,\n                  depending on the employee, the lack of use may be cyclical or the MD may only\n                  be needed for travel or emergency situations.\n\n                  In addition, OEI staff responsible for property (hereafter \xe2\x80\x9cOEI property staff\xe2\x80\x9d) are\n                  not always notified when an employee leaves EPA or transfers to a new EPA\n                  program office. The eBusiness FY 2011 MD Service Description states that the\n                  customer must cancel MD service through eBusiness. However, an OEI property\n                  staff person indicated that OEI employees are unsure of the procedures to follow\n                  when they no longer need an MD, move to a different EPA program office, or\n                  leave the Agency. Thus, OEI property staff are not notified when a user\xe2\x80\x99s service\n                  should be disconnected. One OEI property staff person contacts MD numbers if\n                  questions exist regarding usage and whether the employee still works for OEI.\n                  This OEI property staff person stated that the MD is disconnected if repeated\n                  messages go unanswered or if call recipients do not identify themselves as EPA\n                  employees.\n                  \xc2\xa0\n                  Multiple Mobile Devices\n\n                  OEI allows some employees to have both a cell phone and a BlackBerry for\n                  comfort purposes (i.e., employees claim to be more comfortable using a cellular\n                  phone to make calls and a Blackberry to check e-mail), and account managers and\n                  custodial officers are not updated with the correct end user information, resulting\n                  in inaccurate data in eBusiness. Executive Order 13589, Promote Efficient\n                  Spending, asks each federal agency to take steps to limit the number of MDs\n                  issued to employees. OEI lacks internal controls regarding multiple devices; it has\n                  no SOPs that prohibit employees from having multiple MDs. Further, inaccurate\n                  information in eBusiness may falsely indicate that staff have multiple MDs. As a\n                  result, EPA is unnecessarily expending resources on multiple MDs for OEI\n                  employees, and may be paying for MD service on devices that are not being used.\n\n                  eBusiness records from June 14, 2011, indicate that 49 OEI employees had\n                  multiple devices. On October 19, 2011, we requested that OEI employees with\n                  more than one MD provide confirmation of use for each registered device as well\n                  as a business case justification for using more than one MD. Of the 44 responses\n                  from the 49 OEI employees we contacted,4 27 confirmed that they only have one\n                  device, which means that eBusiness does not have accurate information. Those\n                  with multiple MDs gave varied responses as to why they need those devices.\n                  Table 1 lists employee and manager justifications for multiple MDs.\n\n\n\n3\n   Calculated by multiplying the average per-user monthly bill of $71.96 for OEI MD service by 68 (number of \n\nemployees) and 6 (number of months), rounding up to the nearest dollar. \n\n4\n  \xc2\xa0We learned that five of those we contacted are no longer employed by OEI, and the status of their devices is\n\nunknown.\n\xc2\xa0\n\n\n12-P-0427                                                                                                          9\n\x0c                 Table 1: OEI justifications for employee possession of multiple MDs\n                  \xef\x83\x98 Registering extra devices for future    \xef\x83\x98 Ensuring communications during\n                     use by new employees                      international travel\n                  \xef\x83\x98 Needing a working device when           \xef\x83\x98 Being able to provide a device if a\n                     original is broken                        senior manager/official requests one\n                  \xef\x83\x98 Neglecting to return an international   \xef\x83\x98 Needing an employee to be available\n                     loaner device                             around the clock\n                  \xef\x83\x98 Needing a back-up device for work-      \xef\x83\x98 Providing a device to a contractor\n                     related travel\n                 Source: OIG analysis of responses provided by OEI staff and MD service manager.\n\n                 While we found little concern among OEI managers about employees having\n                 multiple MDs, OEI property staff responsible for tracking inventory expressed\n                 concern about this issue. One custodial officer indicated that some OEI property\n                 staff will review inventory on a monthly basis to ensure that eBusiness has MDs\n                 correctly registered to the proper end user. Multiple MDs often appear in\n                 eBusiness under one person\xe2\x80\x99s name, but the MD does not actually belong to that\n                 person. Because account managers and custodial officers are not updated with the\n                 correct end user information, eBusiness does not reflect accurate information. OEI\n                 recognizes that outdated information in eBusiness can indicate that some staff\n                 have multiple MDs when they may not.\n\n                 Inappropriate Use of Mobile Devices\n\n                 We found that one OEI employee and one OEI contractor incurred high\n                 international roaming charges on their EPA-issued MDs while traveling for\n                 personal reasons. EPA Order 2101.0, Limited Personal Use of Government Office\n                 Equipment, states that employees may use government office equipment only for\n                 authorized purposes. OEI has not established internal controls for inappropriate\n                 use of MDs. At the time of our review, there were no finalized SOPs defining\n                 inappropriate use of MDs or the manner in which confirmed cases of\n                 inappropriate use should be handled. When inappropriate use goes unnoticed,\n                 EPA pays for excess charges.\n\n                 We reviewed call detail reports5 and eBusiness/WCF billing reports covering a\n                 6-month period (January\xe2\x80\x93June 2011)6 to identify questionable costs, including\n                 high costs and international charges. We found that 19 OEI employees and\n                 contractors had made personal international phone calls during that 6-month\n                 period, incurring high charges as a result. Phone calls were made to/from, among\n                 other places, Denmark, El Salvador, Ethiopia, France, Germany, Honduras, Italy,\n                 Kenya, Spain, Sudan, and Turkey. International charges for these 19 employees\n5\n  Call detail reports provide detailed information regarding all incoming and outgoing phone calls made to and from\nan MD. For our review, OEI provided call detail reports from four cell phone carriers\xe2\x80\x94AT&T, Verizon, Sprint, and\nT-Mobile.\n6\n  The OEI billing invoices we reviewed follow a billing cycle that begins the last week of one month and ends the\nlast week of the following month. Therefore, some of the charges included in our analysis occurred either in\nDecember 2010 or July 2011. Two examples of billing invoice statements that included these months are those from\n12/24/10 to 01/23/11 and 06/24/11 to 07/23/11.\n\n\n12-P-0427                                                                                                       10\n\x0c                  and contractors during the 6 months totaled $4,136.49. OEI management stated\n                  that unless an OEI employee is attending a conference in an international location,\n                  the majority of OEI\xe2\x80\x99s work happens domestically. This statement suggests that\n                  most international calls are not taking place for business purposes.\n\n                  From the sample of 27 employees and contractors, we selected for further review\n                  1 OEI employee and 1 OEI contractor who had inappropriately used their MDs\n                  while traveling internationally for personal reasons.7 Managers confirmed that\n                  both individuals traveled abroad for personal reasons and used their government-\n                  issued MDs to make personal phone calls and send text messages while traveling.\n                  The OEI employee incurred charges of $1,331.37 for international roaming and\n                  other usage charges in a 1-month period. The contractor incurred charges of\n                  $824.69 for international roaming and other usage charges over a 2-month period.\n                  For both individuals, the charges went unnoticed by account managers and\n                  supervisors, and EPA paid for the charges.\n\n                  OEI supervisors and account managers do not review or monitor invoices in\n                  eBusiness on a regular basis, but rather at the end of the fiscal year, and one\n                  account manager is responsible for reviewing the records of hundreds of\n                  employees/contractors. However, if inappropriate use becomes apparent,\n                  supervisors deal with it on a case-by-case basis. Some supervisors may terminate\n                  MD service or expect the employee to repay the costs. In our sample, the OEI\n                  employee received a warning, whereas the contractor\xe2\x80\x99s supervisor was going to\n                  direct the contractor to repay the costs of the personal international calls.\n\n                  OEI has two draft procedural documents related to inappropriate use of MDs. The\n                  draft Mobile Device and Wireless Network Procedures instructs EPA employees,\n                  managers, contractors, and grantees to consult with their managers if they have\n                  questions regarding the appropriate use of their MDs. The draft International\n                  Travel Procedure for Mobile Devices states that EPA-issued MDs and laptops are\n                  only for government-authorized uses.\n\n                  Processes for Tracking and Recovering Mobile Devices\n\n                  OEI does not effectively track and recover all MDs. The Custodial Officers\xe2\x80\x99\n                  Guide states that custodial officers are to enter property data into receiving logs\n                  and apply decals to the property, enter the information into the Integrated\n                  Financial Management System,8 and deliver the decaled property to the end user.\n                  The guide and the Office of Administration and Resources Management Facilities\n                  Management and Services Division\xe2\x80\x99s EPA Personal Property Policy and\n                  Procedures Manual lists cellular telephones and BlackBerrys as sensitive items.\n                  Both define sensitive items as nonexpendable items that may be converted to\n\n7\n  Our billing invoice analysis found that 8 of 27 OEI employees and contractors did not make any international calls.\nWe selected 1 OEI employee and 1 OEI contractor for further review. Of the 27 in our sample, we did not verify\nwhether the remaining 17 employees and contractors with international calls made those calls for personal reasons.\n8\n  As of October 21, 2011, Compass replaced the Integrated Financial Management System.\n\n\n12-P-0427                                                                                                         11\n\x0c                 private use or have a high potential for theft, and that must be recorded as\n                 accountable property. This type of accountability requires property to be tracked\n                 throughout its life cycle, regardless of cost or value. However, OEI employees\n                 and contractors do not have SOPs on their role in the MD tracking and recovery\n                 process, resulting in inaccurate equipment records and wasted resources in trying\n                 to reconcile and track property.\xc2\xa0\n\n                 We verified that OEI custodial officers decal MDs as sensitive items, maintain\n                 property inventory spreadsheets, and report lost or stolen MDs to the Board of\n                 Survey.9 However, we found that (1) OEI employees and contractors do not\n                 always notify custodial officers when MDs are transferred to other end users;\n                 (2) on some occasions, when a new employee needs a device, OEI will put a\n                 current employee\xe2\x80\x99s name on the account but will not go back into eBusiness to\n                 update records to reflect the correct end user; and (3) OEI employees are unaware\n                 of what to do with MDs once they no longer need them and do not properly return\n                 MDs when they are no longer in use. As a result of these situations, MDs may not\n                 be registered to the correct end user in eBusiness.\n\nConclusion\n                 Developing and implementing organization-wide, detailed SOPs will help ensure\n                 that OEI has controls for issuance, disconnection, multiple MDs, inappropriate\n                 use, and tracking and recovery. Further, it is important that OEI improve its\n                 financial management of MDs by requiring business case justifications for users\n                 generally and users of multiple MDs, and taking appropriate action to identify and\n                 eliminate unauthorized calls.\n\nRecommendations\n                 We recommend that the Assistant Administrator for Environmental Information\n                 and Chief Information Officer:\n        \xc2\xa0\n                     1.\t Develop and implement SOPs for OEI employees and contractors, as well\n                         as account managers/property staff, on each step of the MD process. SOPs\n                         should:\n\n                          a.\t Require custodial officers to, on a quarterly basis, verify/confirm the\n                              accuracy of eBusiness information on MD user registration and\n                              utilization.\n\n                          b.\t Develop standardized business case justifications for issuing an MD\n                              that supervisors can utilize. Require supervisors to review\n                              justifications annually.\n\n9\n The Board of Survey serves as a fact-finding body charged with determining the circumstances and conditions of\neach case in which EPA property is declared lost, damaged, or destroyed.\n\n\n12-P-0427                                                                                                     12\n\x0c               c.\t Develop an appropriate MD upgrade and replacement schedule\n                   consistent with the industry standard for upgrading wireless devices\n                   that includes conditions and justifications for approving upgrades\n                   sooner than the standard.\n\n               d. Address the number and type of MD accessories that may be\n                  purchased, and require custodial officers to track accessory costs.\n\n               e. Include standard procedures for addressing inappropriate use of an\n                  MD, including consequences.\n\n               f. Develop eBusiness design changes that would trigger the system to\n                  notify account managers when a predetermined cost threshold is\n                  reached, which may indicate potentially inappropriate use of an MD.\n\n               g. Allow approved users to possess either a cell phone or a BlackBerry,\n                  or require additional documented justification and annual review if an\n                  employee requires multiple devices.\n\n               h. Review the business need for MD users with low utilization of their\n                  monthly plan minute allotments (less than 1, 10, 20, and 30 percent\n                  utilization\xc2\xa0as described in\xc2\xa0EPA\xe2\x80\x99s Mobile Device Service Review and\n                  Optimization Analysis) and terminate service where appropriate.\n\n               i. Require end users to notify their property staff when they no longer\n                  need a device, transfer to another EPA program office, or leave the\n                  Agency. Instruct end users on the proper procedure for turning in their\n                  MDs.\n\n            2. Follow up with OEI managers and determine:\n\n               a.\t Whether there is a valid business case justification for those staff using\n                   multiple MDs, and determine whether one of the devices should be\n                   returned to the Agency.\n\n               b.\t Whether the international calls made during January\xe2\x80\x93June 2011 by the\n                   remaining 17 OEI employees and contractors we identified in our\n                   sample of 27 were inappropriate, and take action based on SOPs\n                   developed per recommendation 1.\n\n            3. Finalize Agency-wide draft domestic and international MD procedures\n               and develop other Agency-wide procedures as necessary that consider\n               SOPs that encompass the areas listed in recommendation 1.\n\n\n\n\n12-P-0427                                                                                 13\n\x0cAgency Comments and OIG Evaluation\n            OEI concurred with all of our recommendations except for 1-d and 1-f. On 1-d,\n            OEI correctly notes that EPA\xe2\x80\x99s Personal Property Policy and Procedures Manual\n            does not include items valued at less than $5,000 unless they are sensitive items;\n            however, the Custodial Officers\xe2\x80\x99 Guide does require an EPA property decal on\n            accessories. We support OEI\xe2\x80\x99s plan to include in the SOP a standardized\n            accessories list in the business case justifications for MD issuance, and we urge\n            OEI to base accessory purchases on need and requests from users. This would\n            mitigate one instance we heard about during our review where an account\n            manager said they ordered all accessories that came with the device in advance\n            and then gave them to the employee who said they did not want them. The\n            account manager said they kept unwanted accessories and gave them to another\n            person at a later time, and learned not to order as many accessories before users\n            request them. Another account manager said that accessories are usually approved\n            for staff, and OEI does not know how much it spends on accessories each year.\n            We agree that OEI\xe2\x80\x99s planned SOP should address necessity and use of MD\n            accessories.\n\n            On 1-f, we agree with OEI that adequate information sources exist where account\n            managers can monitor mobile device usage; however, we learned that account\n            managers do not regularly review these sources. One account manager, who\n            oversees hundreds of contractors, said they only review usage once a year at the\n            end of the fiscal year and not on a more routine basis. This account manager\n            oversaw the inappropriate charges that formed the basis for the May 2011 hotline\n            complaint to our office; however, the account manager did not notice these\n            charges until the manager\xe2\x80\x99s review at the end of the fiscal year (September 2011).\n            As of the date of an interview with us in October 2011, another account manager\n            had not reviewed any usage in 2011, and this account manager only oversees 12\n            users as opposed to the aforementioned account manager\xe2\x80\x99s workload. While OEI\n            receives \xe2\x80\x9czero usage reports\xe2\x80\x9d from carriers on a regular basis and custodial\n            officers and account managers can request a utilization report at any time, account\n            managers do not routinely review them but for once annually. As such, OEI needs\n            to do more than \xe2\x80\x9ceducate\xe2\x80\x9d account managers on usage reports. This\n            recommendation remains unresolved pending more specificity from OEI on\n            monitoring inappropriate device usage. OEI\xe2\x80\x99s comments on not exceeding\n            Agency-wide pooled minutes does not address the appropriateness of having staff\n            retain devices when those staff had zero usage over a 6-month time frame.\n\n            Appendix B contains OEI\xe2\x80\x99s full response to our draft report and planned actions\n            to address our recommendations. Our recommendations remain open pending\n            OEI\xe2\x80\x99s corrective action plan with milestone dates\xe2\x80\x94particularly for the primary\n            SOP OEI cites throughout its response\xe2\x80\x94as well as additional specificity from\n            OEI on monitoring inappropriate device usage.\n\n\n\n\n12-P-0427                                                                                     14\n\x0c                           Status of Recommendations and\n                             Potential Monetary Benefits\n                                                                                                                           POTENTIAL MONETARY\n                                             RECOMMENDATIONS                                                                BENEFITS (in $000s)\n\n                                                                                                               Planned\n Rec.   Page                                                                                                  Completion   Claimed    Agreed-To\n No.     No.                       Subject                          Status1         Action Official              Date      Amount      Amount\n\n  1      12    Develop and implement SOPs for OEI employees                    Assistant Administrator for\n               and contractors, as well as account managers/                   Environmental Information\n               property staff, on each step of the MD process.                and Chief Information Officer\n               SOPs should:\n                 a.    Require custodial officers to, on a            O\n                       quarterly basis, verify/confirm the\n                       accuracy of eBusiness information on\n                       MD user registration and utilization.\n                 b.    Develop standardized business case             O\n                       justifications for issuing an MD that\n                       supervisors can utilize. Require\n                       supervisors to review justifications\n                       annually.\n                 c.    Develop an appropriate MD upgrade and          O\n                       replacement schedule consistent with the\n                       industry standard for upgrading wireless\n                       devices that includes conditions and\n                       justifications for approving upgrades\n                       sooner than the standard.\n                 d.    Address the number and type of MD              O\n                       accessories that may be purchased, and\n                       require custodial officers to track\n                       accessory costs.\n                 e.    Include standard procedures for                O\n                       addressing inappropriate use of an MD,\n                       including consequences.\n                 f.    Develop eBusiness design changes that          O\n                       would trigger the system to notify account\n                       managers when a predetermined cost\n                       threshold is reached, which may indicate\n                       potentially inappropriate use of an MD.\n                 g.    Allow approved users to possess either a       O\n                       cell phone or a BlackBerry, or require\n                       additional documented justification and\n                       annual review if an employee requires\n                       multiple devices.\n                                                                                                                             $29\n                 h.    Review the business need for MD users          O\n                       with low utilization of their monthly plan\n                       minute allotments (less than 1, 10, 20, or\n                       30 percent utilization as described in\n                       EPA\xe2\x80\x99s Mobile Device Service Review and\n                       Optimization Analysis) and terminate\n                       service where appropriate.\n                 i.    Require end users to notify their property     O\n                       staff when they no longer need a device,\n                       transfer to another EPA program office, or\n                       leave the Agency. Instruct end users on\n                       the proper procedure for turning in their\n                       MDs.\n\n\n\n\n12-P-0427                                                                                                                                    15\n\x0c                                                                                                                                  POTENTIAL MONETARY\n                                                   RECOMMENDATIONS                                                                 BENEFITS (in $000s)\n\n                                                                                                                      Planned\n    Rec.    Page                                                                                                     Completion   Claimed    Agreed-To\n    No.      No.                         Subject                           Status1         Action Official              Date      Amount      Amount\n\n     2        13    Follow up with OEI managers and determine:                        Assistant Administrator for\n                                                                                      Environmental Information\n                      a.    Whether there is a valid business case           O       and Chief Information Officer\n                            justification for those staff using multiple\n                            MDs, and determine whether one of the\n                            devices should be returned to the Agency.\n                      b.    Whether the international calls made             O\n                            during January\xe2\x80\x93June 2011 by the\n                            remaining 17 OEI employees and\n                            contractors we identified in our sample of\n                            27 were inappropriate, and take action\n                            based on SOPs developed per\n                            recommendation 1.\n\n     3       13     Finalize Agency-wide draft domestic and                  O        Assistant Administrator for\n                    international MD procedures and develop other                     Environmental Information\n                    Agency-wide procedures as necessary that                         and Chief Information Officer\n                    consider SOPs that encompass the areas listed in\n                    recommendation 1.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0427                                                                                                                                           16\n\x0c                                                                                           Appendix A\n\n                     Details on Scope and Methodology\nTable A-1: OIG steps to investigate hotline complaint\n Area of concern      Steps\n Issuance             \xef\x83\x98   Reviewed eBusiness records and other sources to identify the number of OEI\n                          staff with MDs and related costs\n                      \xef\x83\x98   Discussed business case justifications with supervisors\n Disconnection        \xef\x83\x98   Interviewed a custodial officer on the process for assessing usage and\n                          determining disconnections\n                      \xef\x83\x98   Reviewed a November 2011 zero usage report to identify OEI employees who\n                          did not use their MDs in any manner over a 6-month period\n Multiple MDs         \xef\x83\x98   Reviewed eBusiness records and files OEI provided identifying staff with\n                          multiple MDs\n                      \xef\x83\x98   Queried staff, managers, and a custodial officer as to the business case\n                          justification for having multiple MDs\n Inappropriate use    \xef\x83\x98   Reviewed call detail reports and eBusiness/WCF billing reports covering a\n                          6-month period (January\xe2\x80\x93June 2011) to identify questionable costs,\n                          including high costs and international charges\n                                  o Held a webinar with the WCF Mobile Device Services Manager and\n                                      an EDSD contractor to understand how the source data delivered\n                                      from the carriers is converted into a Microsoft Excel file, known as a\n                                      CDR, which OEI provided us for our analysis.\n                                  o Using a filter in the CDRs, we identified all calls made to\n                                      international locations and calls with charges over $20.00.\n                                  o We analyzed the eBusiness/WCF billing reports by the OEI account\n                                      managers, which resulted from our CDR analysis, for international\n                                      roaming charges and charges over $100.00.\n                      \xef\x83\x98   Reviewed billing invoices on a sample of OEI and contractor personnel we\n                          identified as having questionable charges and discussed charges and\n                          responsive actions with account managers and two supervisors (one who\n                          supervises an EPA employee and one who supervises a contractor)\n                                   o Held a webinar with a Business Analyst/Billing Invoices Manager\n                                      and the WCF Mobile Device Services Manager to understand how\n                                      OEI downloaded the MD billing invoices from the carrier website to\n                                      provide them to us in an Adobe PDF format for our analysis.\n                                   o The final billing invoices sample included all persons identified with\n                                      international roaming charges in the CDR and eBusiness billing\n                                      reports by account manager.\n Tracking and         \xef\x83\x98   Reviewed eBusiness records to ascertain appropriate end user registrations\n recovery             \xef\x83\x98   Interviewed custodial officers on the process for obtaining MDs once staff no\n                          longer needs them\n                      \xef\x83\x98   Reviewed a memo titled "Missing Accountable Personal Property" to determine\n                          if missing items of accountable property were MDs within OEI\nSource: OIG.\n\n\n\n\n12-P-0427                                                                                               17\n\x0c                                                                                                 Appendix B\n\n                     Office of Environmental Information\xe2\x80\x99s\n                            Response to Draft Report\n\n\n\n\n    In response to the draft Audit Report, "Office of Environmental Information Should Strengthen Controls\n    Over Mobile Devices, Project Number OA-FYII-0278", the Office of Environmental Information is\n    pleased to provide you with our responses to the following OIG recommendations.\n\n1. \t Develop and implement Standard Operating Procedures (SOPs) for OEI employees and contractors, as\n     well as account managers/property staff, on each step of the Mobile Devices (MD) process. SOPs should:\n\na. \t Require custodial officers to, on a quarterly basis, verify/confirm the accuracy of eBusiness information\n     on MD user registration and utilization.\n\n    Concur. OEI\'s Office of Planning, Resources and Outreach (OPRO) plans to develop a SOP to ensure\n    that both the custodial officers and Working Capital Fund (WCF) Account Managers do their part to\n    verify/confirm the accuracy of eBusiness registration and utilization.\n\nb. \t Develop standardized business case justifications for issuing a MD that supervisors can utilize. Require\n     supervisors to review justifications annually.\n\n    Concur. The planned SOP will develop standardized business case justifications for issuing a MD that a\n    supervisor can utilize. OEI plans to develop the SOP to require supervisors to review justifications\n    annually by coordinating with the WCF account manager.\n\nc.\t Develop an appropriate MD upgrade and replacement schedule consistent with the industry standard for\n\n\n\n    12-P-0427                                                                                                   18\n\x0c   upgrading wireless devices that includes conditions and justifications for approving upgrades sooner than\n   the standard.\n\n   Concur. OEI plans to develop two actions for this recommendation. The two actions are as follows:\n\n       1.\t Develop an appropriate MD upgrade and replacement schedule consistent with the industry\n           standard for upgrading wireless devices.\n       2.\t Promulgate a schedule that includes conditions and justifications for approving upgrades sooner\n           than the standard.\n\n   In response to action 1: OTOP procures mobile devices for EPA WCF customers (including OEI) who\n   place orders in eBusiness using EPA contracts with our carriers that were established via Blanket\n   Purchase Agreements (BPAs). In turn, these BPAs use GSA\'s Federal Supply Schedule (FSS) contracts\n   with our carriers that have terms/conditions that dictate when a mobile device can be upgraded which is\n   based on the length of time each line of service has been in place. Per GSA FSS contracts with the\n   carriers, the minimum length of time for an existing line of service that qualifies for a zero cost equipment\n   upgrade is one year. These terms/conditions apply across all agencies that use GSA\'s FSS carrier\n   contracts including EPA. These one-year terms/conditions are applicable to the federal government\n   which is different than the commercial service entity carriers provided to consumers (typically 18 months\n   to 2-years before an upgrade can be requested).\n\n   EPA WCF customers can select either zero cost equipment or equipment that has a significant \n\n   government discount that is offered by the carrier that is much lower. Most EPA WCF customers, \n\n   including OEI customers, select the zero cost equipment option available from the carriers. \n\n\n   Corrective Action: \n\n   OTOP will recommend/communicate via established communication sources (i.e., WCF monthly reports, \n\n   etc.) that WCF customers should use the zero cost equipment option when replacing mobile devices. The \n\n   aforementioned action will be communicated to OEIIOPRO within a 30-day time frame commencing in \n\n   April 2012. In addition, OTOP will provide this same information for inclusion in the Agency Mobile \n\n   Device and Wireless procedure when finalized. \n\n\n   In response to action 2: OPRO plans to include in the SOP a schedule that includes conditions and \n\n   justifications for approving upgrades sooner than the standard. \n\n\nd.\t Address the number and type of MD accessories that may be purchased, and require custodial officers to\n    track accessory costs.\n\n   Do not concur. OEI believes it is not efficient or in keeping with Agency policy for custodial officers to\n   track MD accessories. In addition, tracking the cost of such items alone is not likely to decrease\n   acquisitions of MD accessories. EPA\'s Personal Property Policy and Procedures manual does not\n   include items valued at less than $5,000 unless they are sensitive items.\n\n   However, OEI plans to include in the SOP a standard accessories list in the standardized business case\n   justifications for issuance of MD that supervisors can utilize. Use of the SOP will result in both more\n   efficient methods of acquiring MD accessories (through eBusiness) while providing information about\n   their necessity and likely use.\n\n\n\n   12-P-0427                                                                                                    19\n\x0ce.\t Include standard procedures for addressing inappropriate use of a MD, including consequences.\n\n    Concur. The planned SOP will reference the Agency\'s conduct and discipline Order and the Agency\'s\n    Disciplinary Handbook to determine appropriate consequences when inappropriate use of a MD is\n    determined.\n\nf.\t Develop eBusiness design changes that would trigger the system to notify account managers when a\n    predetermined cost threshold is reached, which may indicate potentially inappropriate use of a MD.\n\n    Do not concur. OEI believes there are adequate information sources currently available for individual\n    account managers to monitor mobile device usage without the establishment of thresholds. OEI/OTOP\n    will continue to work with account managers to educate them on usage reports.\n\n    In December 2011, this request was put before the eBusiness Configuration Control Board (CCB) under\n    request number 11871, and it was disapproved as an ineffective approach to managing usage under the\n    pooled minutes plan. The Board noted that the eBusiness sorting capability will support reviewing bills\n    from high to low values to review charges in lieu of maintaining thresholds. This Board is primarily made\n    up of customer representatives from the different EPA program and regional offices.\n\n    eBusiness currently offers a service specific report for all mobile devices which displays account\n    information, office, user, charges, minutes used, rate plan and device. The report can be sorted to review\n    minutes used by account by user without the need to set thresholds. Since the Mobile Device Service has\n    moved from individual rate plans to Agency-wide pooled minutes, no one is assigned to a measureable\n    rate plan. A threshold would have to be set for each user based on an average of "normal" device activity.\n    Since the inception of the pooled minutes plan, the EPA has not exceeded the total pool threshold and no\n    additional charges for additional minutes have occurred. In addition, we currently have an EPA\n    inventory of just under 6,600 units which would make the individual calculation of thresholds an\n    unnecessary expense.\n\ng.\t Allow approved users to possess either a cell phone or a BlackBerry, or require additional documented\n    justification and annual review if an employee requires multiple devices.\n\n    Concur. OPRO will include within the planned SOP a standardized business case justification for MD\n    issuance. This information can assist supervisors in determining if additional devices are needed.\n\nh.\t Review the business need for MD users with low utilization of their monthly plan minute allotments (less\n    than I, 10, 20, and 30 percent utilization as described in EPA\'s Mobile Device Service Review and\n    Optimization Analysis) and terminate service where appropriate.\n\n    Concur. OPRO will include in the planned SOP a quarterly review of zero usage reports from the cell\n    carriers and termination of service where appropriate. Utilization of plan minutes is not the best\n    indicator of device use, as a review of Service reports indicates that many users with high use of their\n    device primarily use the data functions of the MD for text and email, while using only a minimal number\n    of voice minutes.\n\n\n\n\n    12-P-0427                                                                                               20\n\x0ci.\t Require end users to notify their property staff when they no longer need a device, transfer to another\n    EPA program office, or leave the Agency. Instruct end users on the proper procedure for turning in their\n    MDs.\n\n    Concur. OPRO will include within the planned SOP for employee provisioning/deprovisioning a step that\n    the employee notifies property staff if they no longer need a device. In addition, OPRO will ensure that\n    the SOP for the custodial officer and WCF account manager includes coordination of a quarterly review\n    of employee devices and usage.\n\n2.\t Follow up with OEI managers and determine:\n\na.\t Whether there is a valid business case justification for those staff using multiple MDs, and determine\n    whether one of the devices should be returned to the Agency.\n\n    Concur. The planned SOP will develop standardized business case justifications for issuing a MD that\n    supervisors can utilize. In cases where multiple devices have been issued, OEI will develop the SOP to\n    require supervisors to review justifications annually by coordinating with the WCF account manager.\n\nb.\t Whether the international calls made during January-June 2011 by the remaining 19 OEI employees and\n    contractors we identified in our sample of 27 were inappropriate, and take action based on SOPs\n    developed per recommendation 1.\n\n    Concur. OEI plans to follow up with managers and determine if the identified employees fall within the\n    Agency\'s conduct and discipline Order and the Agency\'s Disciplinary Handbook. For contractors that\n    have been identified, OEI management will request the Contracting Officer and Contracting Officer\n    Representative investigate the use of the MD and will take appropriate steps as allowed under the\n    contract.\n\n3.\t Finalize Agency-wide draft domestic and international MD procedures and develop other Agency-wide\n    procedures as necessary that consider SOPs that encompass the areas listed in recommendation 1.\n\n    Concur. \n\n    OEI believes that two actions should be created for this recommendation. \n\n       1.\t Finalize the procedure for domestic use which OEI OTOP leads.\n       2.\t Finalize the procedure for international use which the OEI SAISO leads.\n\n    OTOP Corrective Action: Finalize the draft Mobile Device and Wireless Procedure by the end of \n\n    calendar year 2012. \n\n\n    SAISO Corrective Action: A procedure addressing international travel for mobile devices has been\n    drafted and we expect to have a final version by October 1, 2012.\n\n    Should you have any questions regarding our corrective action plan, please contact Scott Dockum at 202-\n    566-1914 or dockum.scott@epa.gov.\n\n\n\n\n    12-P-0427                                                                                                21\n\x0ccc: \t   Rudolph Brevard, Office of Inspector General, OMS\n        Pat Hill, Office of Inspector General, OMS\n        James McDonald, Office of Environmental Information, OPRO\n        Robert McKinney, Office of Environmental Information, SAISO\n        Vaughn Noga, Office of Environmental Information, OTOP\n        Scott Dockum, Office of Environmental Information, OPRO\n\n\n\n\n12-P-0427                                                             22\n\x0c                                                                                Appendix C\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Follow-Up Coordinator, Office of Environmental Information\n\n\n\n\n12-P-0427                                                                               23\n\x0c'